CEN-CENELEC publishes the horizontal DPP standards: the EN 18xxx family explained

Key takeaways

• On 25 June 2026, CEN and CENELEC presented the horizontal EU Digital Product Passport standards developed by CEN/CLC/JTC 24 under mandate M/604 (C(2024)5423).
• Eight modular standards make up the EN 18xxx family. Six are published (EN 18216, EN 18219, EN 18220, EN 18221, EN 18222, EN 18223); two security standards (prEN 18239, prEN 18246) are under formal vote until 16 July 2026.
• They are horizontal standards: they define how a DPP works, not which data each product must carry. The data points stay in the product-group delegated acts.
• Applying the standards lets companies declare conformity at lower cost, and the modular design reduces vendor lock-in.
• The first full Digital Product Passport, for batteries, applies from 18 February 2027.

On 25 June 2026, CEN and CENELEC held a public webinar, "How to become compliant with EU Digital Product Passport legislations: guidance on the recently published European standards", presenting the horizontal standards developed by the joint technical committee CEN/CLC/JTC 24, Digital Product Passport, Framework and System, under mandate M/604 (C(2024)5423). These standards turn the abstract Digital Product Passport requirements of the ESPR (Regulation (EU) 2024/1781) into a concrete, modular technical stack that any product sector can build on.

A crucial distinction: these are horizontal standards. They define how a DPP is built, identified, stored, secured and made interoperable. Which data points each product must carry still comes from the product-group delegated acts. The JTC 24 standards are the common plumbing; the delegated acts remain the content.

What the DPP will look like

• The DPP is linked to a unique product identifier through a data carrier.
• The data carrier is physically present on the product, on its packaging, or in the documentation accompanying the product, as specified in the applicable delegated act.
• Identifiers comply with ISO/IEC 15459:2015 on automatic identification and data-capture techniques.
• Access to the information is governed by the essential requirements and by the specific access rights set at product-group level in the relevant delegated act.

The eight standards

The standards form a modular, interlinked family under mandate M/604, all carrying the 2026 designation:

Six of the eight standards are published. The two security standards, prEN 18239 and prEN 18246, are under formal vote until 16 July 2026 and are expected to follow shortly after. CEN-CENELEC used an adapted, faster workflow for the DPP standards: two main steps remain (Enquiry and Formal Vote) with a single European Commission assessment.

How a passport read works, mapped to the standards

The standards correspond to the distinct phases of reading a passport from a physical product:

What each standard covers

• EN 18216, data exchange protocols. Universal exchange formats and protocols that avoid vendor lock-in, machine-readable structures so software can query and interpret product data automatically, data integrity across the lifecycle, and simple interfaces that lower implementation cost by integrating with existing corporate databases such as ERP systems.
• EN 18219, unique identifiers. How identification codes are structured so manufacturers, consumers, recyclers and market-surveillance authorities can reach the product's sustainability and circularity data. It defines three identifier types: product, economic operator, and facility.
• EN 18220, data carriers. Criteria for the physical-to-digital link: supported symbologies (QR codes and Data Matrix optical 2D codes, plus RFID tags and NFC chips), print and production quality, error-correction codes for redundancy if a label is damaged, durability against lifecycle conditions (textile washing, mechanical abrasion, sun exposure), and placement on the product, packaging or documentation with common visual indicators. It explicitly excludes software architecture, business-specific use cases and cryptographic security, which are handled by the complementary security standards.
• EN 18221, data storage, archiving and data persistence. Where and how data is stored so it stays accessible for years: persistence even if the economic operator ceases activity or goes bankrupt, decentralised storage so the system does not depend on a single central server, historical archiving of prior versions, replication and backups, and rules on how long data must be retained.
• EN 18222, APIs and lifecycle management. Technical specifications and gateway services so different software systems connect automatically: standardised APIs for automated queries, lifecycle operations on the data, gateway link resolution that redirects a read request to the exact database, and compatibility across hybrid systems in different sectors and EU countries without manual adaptation.
• EN 18223, system interoperability. The conceptual and data framework so product information can be shared, understood and reused across platforms and industries. It covers semantic interoperability (shared meaning), technical interoperability (serialization and encoding), organisational interoperability (fitting DPP flows into existing IT), a common information model, data-dictionary integration, and modelling rules for sector committees designing product-group passports, aligned with ISO and IEC terminology bases.
• prEN 18239, security and confidentiality. Access rights management, IT security, data protection and responsibility transfer between economic operators. Under formal vote until 16 July 2026.
• prEN 18246, data authentication and integrity. A framework for secure information processing and communication safeguarding integrity, authenticity and reliability in DPP data exchange. Under formal vote until 16 July 2026.

Why the modular design matters

The eight standards are designed to be substitutable and decoupled: any standard can be swapped for another that performs the same function, and changing one module does not force changes in the others. The practical effect for companies is reduced vendor lock-in and the freedom to assemble a compliant DPP from interoperable building blocks rather than a single proprietary platform.

One deliverable remains open. The meta-structure, the interface layer that binds the eight standards together, is part of a wider work item that JTC 24 expects to resume after the summer break, aligning the stack with both today's ESPR requirements and the upcoming European Product Act.

What this means for companies

• Conformity through voluntary standards lowers cost. The model is: EU law sets high-level objectives, businesses apply the harmonized standards, document their application and declare conformity, and authorities assume conformity. That is a major saving compared with bespoke conformity assessment.
• Build on the stack now. If you are preparing a DPP, map your identifier scheme to EN 18219, your data carrier choice to EN 18220, and your interoperability and API design to EN 18223 and EN 18222. This is the technical blueprint to design against ahead of the first passports.
• The clock is concrete for batteries. The full Battery Digital Product Passport applies from 18 February 2027. The infrastructure you stand up against these standards is the same infrastructure that will host that passport.

Sources

• Webinar recording (CEN-CENELEC YouTube): https://youtu.be/gBjV81lBMcU
• Webinar slide deck (PDF): https://www.cencenelec.eu/media/CEN-CENELEC/Events/Webinars/2026/20260625_cen-cenelec-webinar-on-dpp-final_rev20260625.pdf
• Event page: https://www.cencenelec.eu/news-events/events/2026/2026-06-25-webinar-eu-digital-product-passport/

Track the technical detail on our identifiers, interoperability and data-governance playbook steps, and the regulatory picture on the ESPR overview and the delegated-acts tracker.